Import permissions by using CADT - Cloud Architect Design Tools

Overview

To use a RAM user to detect Alibaba Cloud resources, import existing resources, and create applications by using Cloud Architect Design Tools (CADT), you must attach the following policies and grant the following permissions to the RAM user:

AliyunCADTImportAccess
AliyunConfigFullAccess
Read-only permissions on the deployed cloud services

Grant permissions to a RAM user

Log on to the RAM console. On the Users page, find the RAM user to which you want to grant permissions, and click Add Permissions in the Actions column. In this example, the cadt-user user is used.
In the Add Permissions panel, attach the following policies to the user and click Grant permissions.
In this example, a test application named CADT-Test is used. The CADT-Test application contains Virtual Private Cloud (VPC), Elastic Compute Service (ECS), and Elastic IP Address (EIP) resources. Therefore, you must attach the AliyunCADTImportAccess and AliyunConfigFullAccess policies to the cadt-user user and grant the read-only permissions on the VPC, ECS, and EIP resources to the cadt-user user.
- AliyunCADTImportAccess
- AliyunConfigFullAccess
- AliyunVPCReadOnlyAccess
- AliyunECSReadOnlyAccess
- AliyunEIPReadOnlyAccess
After you attach the policies to the user, click the name of the user on the Users page to go to the user details page. Click the Permissions tab to view the attached policies. The following figure shows the policies that are attached to the user.

Verify permissions

After the preceding permissions are granted to the cadt-user user, the cadt-user user can detect Alibaba Cloud resources, draw diagrams, and create applications by using CADT. The cadt-user user can also configure resources, import existing resources, verify resources, confirm the prices of resources, and view cost analysis reports in CADT. However, the cadt-user user does not have permissions to deploy resources.

Open a browser in incognito mode, and log on to the Alibaba Cloud Management Console as the cadt-user user. Then, log on to the CADT console.
Verify the permissions of the cadt-user user to detect resources.
1. In the upper part of the page that appears, choose Resources > Resource Profiling.
2. In the dialog box that appears, click Resource Profiling and select a region in which you want to detect resources.
  Note
  If you do not select a region, resources in all regions are detected. The test application used in this example is created in the China (Beijing) region. Therefore, the China (Beijing) region is selected in this example.
3. Wait until the resource detection is complete. The time consumed for the resource detection depends on the amount of your existing resources.
Verify the permissions of the cadt-user user to import resources.
1. Create an application.
2. Create an application architecture that is the same as the test application architecture. The following figure shows the test application architecture.
3. Double-click the VPC resource. In the panel that appears, set the Purchase method parameter to Import, and select the VPC used in the test application from the instance name drop-down list based on the VPC ID.
  Note
  To view the IDs of resources used in the test application, choose Application > Deployment Status in the upper part of the page.
4. Import the vSwitch, ECS instance, and EIP created in the test application in sequence by using the preceding method.
5. Click Save to save the application.
6. In the upper-right corner, click Import Resource. In the dialog box that appears, click Import.
  Wait until all resources are imported.
7. Make sure that all resources are imported, as shown in the following figure.
This example proves that you can attach the AliyunCADTImportAccess and AliyunConfigFullAccess policies to a RAM user and grant the read-only permissions on the deployed cloud services to a RAM user to allow the RAM user to detect Alibaba Cloud resources, import existing resources, and create applications in CADT.